HITECH Prompts Breach Notification PlansGetting ready to comply with mandate Editor's Note: This four-part series analyzes how to comply with the data security and privacy provisions of the HITECH Act.
The most significant security provision of the HITECH Act is its explicit requirement for healthcare organizations to promptly notify individuals of data security breaches.
To comply with HITECH, hospitals, clinics, insurers and others must prepare a detailed plan for how to deal with a breach if one should occur, says Dan Rode, vice president for policy and government relations at the American Health Information Management Association, Chicago
The plan should spell out who will be involved in notifying patients of a breach, how the organization will conduct an analysis of why the breach occurred and what steps should be taken to prevent future breaches, he says.
A recent survey by the Healthcare Information and Management Systems Society, however, found that only half of hospitals had a plan in place for responding to a security breach as of late last year.
"I am concerned that organizations lack a comprehensive incident response plan," says Lisa Gallagher, senior director for privacy and security at Chicago-based HIMSS. "And organizations need to be actively identifying breaches and compromises of patient data in a much more systematic way."
Notice within 60 days
The HITECH Act toughens the standards originally included in the Health Insurance Portability and Accountability Act of 1996. Most notably, it requires healthcare organizations to notify patients affected by a data security breach within 60 days. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals.
An interim final rule providing more details on HITECH's data security breach notification requirements allows healthcare organizations to determine whether a particular data security breach presents "significant risk" and thus needs to be reported.
This "harm threshold" has proven controversial, because it means federal regulators are largely leaving it up to healthcare organizations to determine if they need to give notification of a breach. Privacy advocates decried the policy, while some health associations hailed it.
As a result of the "harm threshold" provision, healthcare organizations must "create a well-defined risk analysis process" to help them determine what breaches to report," says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. "Now is the time to get that done."
The HIPAA privacy and security rules, and penalties, now apply directly to business associates, such as banks, claims clearinghouses, billing firms, health information exchanges and software companies, as though they were healthcare organizations.
Previously, the rules only applied to "covered entities," including such healthcare organizations as hospitals, physician group practices and health insurers. Now, the rules apply to any organization that has access to "protected health information."
Business associates experiencing a breach must notify the covered entity, which then must notify the individuals. Companies that sell personal health records, however, must comply with a similar breach notification rule from the Federal Trade Commission.
Light on details?
Many healthcare organizations have business associate agreements that "lack significant information," laments Walsh, the consultant.
For example, the agreements fail to specify when a breach has to be reported, to whom it should be reported and how it should be reported, he points out. He advises hospitals and clinics, for example, to spell out that their business associates should never use unsecured e-mail to report a breach.
But some hospitals are aggressively updating their business associate agreements to ensure HITECH compliance.
At Good Samaritan Hospital in Vincennes, Ind., the internal audit department originally drafted all business associate agreements, says CIO Charles Christian. "That department is now reviewing those agreements and making sure that all the "i's" are dotted and the "t's" are crossed.
"We have been very proactive in contracts that we have negotiated over the past several years to ensure that we are, in fact, partners with our vendors and that we do hold them accountable to work with us on data breach notifications," says Stephanie Reel, vice president for information systems at Johns Hopkins Medicine, a Baltimore-based academic medical center.
"Going forward, we are certainly ensuring that the language in our business associate contracts is as strong as it needs to be to hold both of us accountable for what we need to do," Reel adds.
Part four of this series deals with HITECH enforcement.